From 5798cf4689f310942325faded174dc6f50aa7c2d Mon Sep 17 00:00:00 2001 From: Chris Lindee Date: Mon, 14 Feb 2022 00:13:55 -0600 Subject: [PATCH] sepolgen: Update refparser to handle xperm Extend the grammar to support `allowxperm`, et. al. directives, which were added in policy version 30 to give more granular control. This commit adds basic support for the syntax, copying heavily from the grammar for `allowperm`, et. al. Signed-off-by: Chris Lindee --- python/sepolgen/src/sepolgen/refparser.py | 80 +++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py index e611637ff2..1d801f41c1 100644 --- a/python/sepolgen/src/sepolgen/refparser.py +++ b/python/sepolgen/src/sepolgen/refparser.py @@ -67,6 +67,7 @@ 'FILENAME', 'IDENTIFIER', 'NUMBER', + 'XNUMBER', 'PATH', 'IPV6_ADDR', # reserved words @@ -112,6 +113,10 @@ 'DONTAUDIT', 'AUDITALLOW', 'NEVERALLOW', + 'ALLOWXPERM', + 'DONTAUDITXPERM', + 'AUDITALLOWXPERM', + 'NEVERALLOWXPERM', 'PERMISSIVE', 'TYPEBOUNDS', 'TYPE_TRANSITION', @@ -179,6 +184,10 @@ 'dontaudit' : 'DONTAUDIT', 'auditallow' : 'AUDITALLOW', 'neverallow' : 'NEVERALLOW', + 'allowxperm' : 'ALLOWXPERM', + 'dontauditxperm' : 'DONTAUDITXPERM', + 'auditallowxperm' : 'AUDITALLOWXPERM', + 'neverallowxperm' : 'NEVERALLOWXPERM', 'permissive' : 'PERMISSIVE', 'typebounds' : 'TYPEBOUNDS', 'type_transition' : 'TYPE_TRANSITION', @@ -231,6 +240,12 @@ t_ignore = " \t" # More complex tokens +def t_XNUMBER(t): + r'0x[0-9A-Fa-f]+' + # Turn hexadecimal into integer + t.value = int(t.value, 16) + return t + def t_IPV6_ADDR(t): r'[a-fA-F0-9]{0,4}:[a-fA-F0-9]{0,4}:([a-fA-F0-9]|:)*' # This is a function simply to force it sooner into @@ -505,6 +520,7 @@ def p_policy(p): def p_policy_stmt(p): '''policy_stmt : gen_require | avrule_def + | avextrule_def | typerule_def | typebound_def | typeattribute_def @@ -810,6 +826,26 @@ def p_avrule_def(p): a.perms = p[6] p[0] = a +def p_avextrule_def(p): + '''avextrule_def : ALLOWXPERM names names COLON names identifier xperm_set SEMI + | DONTAUDITXPERM names names COLON names identifier xperm_set SEMI + | AUDITALLOWXPERM names names COLON names identifier xperm_set SEMI + | NEVERALLOWXPERM names names COLON names identifier xperm_set SEMI + ''' + a = refpolicy.AVExtRule() + if p[1] == 'dontauditxperm': + a.rule_type = refpolicy.AVExtRule.DONTAUDITXPERM + elif p[1] == 'auditallowxperm': + a.rule_type = refpolicy.AVExtRule.AUDITALLOWXPERM + elif p[1] == 'neverallowxperm': + a.rule_type = refpolicy.AVExtRule.NEVERALLOWXPERM + a.src_types = p[2] + a.tgt_types = p[3] + a.obj_classes = p[5] + a.operation = p[6] + a.xperms = p[7] + p[0] = a + def p_typerule_def(p): '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI @@ -987,6 +1023,50 @@ def p_optional_semi(p): | empty''' pass +def p_xperm_set(p): + '''xperm_set : nested_xperm_set + | TILDE nested_xperm_set + | xperm_set_base + | TILDE xperm_set_base + ''' + p[0] = p[-1] + if len(p) == 3: + p[0].compliment = True + +def p_nested_xperm_set(p): + '''nested_xperm_set : OBRACE nested_xperm_list CBRACE + ''' + p[0] = p[2] + +def p_nested_xperm_list(p): + '''nested_xperm_list : nested_xperm_element + | nested_xperm_list nested_xperm_element + ''' + p[0] = p[1] + if len(p) == 3: + p[0].extend(p[2]) + +def p_nested_xperm_element(p): + '''nested_xperm_element : xperm_set_base + | nested_xperm_set + ''' + p[0] = p[1] + +def p_xperm_set_base(p): + '''xperm_set_base : xperm_number + | xperm_number MINUS xperm_number + ''' + p[0] = refpolicy.XpermSet() + if len(p) == 2: + p[0].add(p[1]) + else: + p[0].add(p[1], p[3]) + +def p_xperm_number(p): + '''xperm_number : NUMBER + | XNUMBER + ''' + p[0] = int(p[1]) # # Interface to the parser